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1  Introduction 


The  critical  section  problem  has  been  widely  studied  for  its  illustrative  value 
in  problems  of  synchronization  as  well  as  for  its  practical  application  to  real 
concurrent  systems  (BJLFP821,  (BurSl],  (CH75),  (CH78],  [CH791,  (deB67l, 
[Dij65],  (EM721,  [FLBB79],  [Knu66),  (Lam74),  [Lam76),  [Lam77],  lLam80], 
[Mor79],  [PetSO],  [PetSl],  (PF77],  [RP76].  The  problem  is  to  devise  protocols 
for  each  of  several  communicating  asynchronous  parallel  processes  to  control 
access  to  a  designated  section  of  code  called  the  critical  section.  Such  code 
might  manipulate  a  common  resource,  in  which  case  access  to  the  critical 
section  corresponds  to  allocation  of  the  resource.  In  the  simple  case  of  a 
single  nonsharabie  reusable  resource  such  as  a  line  printer  or  a  tape  drive, 
the  two  basic  properties  desired  of  the  access  policy  are  mutual  exclusion 
and  impossibility  of  deadlock.  Mutual  exclusion  means  that  two  processes 
can  never  simultaneously  be  executing  their  critical  sections.  Deadlock  is  a 
situation  in  which  one  or  more  processes  are  attempting  to  enter  or  leave 
their  critical  sections,  but  none  of  them  ever  succeeds.  Finding  appropriate 
protocols  to  insure  these  two  properties  is  the  critical  section  problem. 

Two  protocols  comprise  a  solution.  The  trying  protocol  is  the  section  of 
code  that  a  process  executes  before  being  admitted  to  its  critical  section, 
and  the  exit  protocol  is  the  code  to  be  run  when  the  process  leaves  its  critical 
section  and  returns  to  the  remainder  of  its  code,  called  the  remainder  section. 
Equivalently,  the  trying  protocol  allocates  the  resource  corresponding  to  the 
critical  section  and  the  exit  protocol  returns  it  to  the  system. 

In  this  paper,  we  generalize  the  critical  section  problem  to  the  case  where 
some  number  fc  >  1  of  processes  (but  not  more)  are  permitted  to  be  simulta¬ 
neously  in  their  critical  sections.  Regarded  as  a  resource-allocation  problem, 
we  consider  k  identical  copies  of  a  non-sharable  reusable  resource,  where  each 
process  can  request  at  most  one  copy  of  that  resource.  Again,  entry  to  the 
critical  section  corresponds  to  allocation  of  a  resource  copy,  but  we  ignore 
questions  of  just  how  the  individual  copies  of  the  resource  are  managed. 

The  exclusion  property  of  the  /r-critical  section  problem,  that  at  most 
k  processes  are  ever  simultaneously  in  their  critical  sections,  we  call  k- 
exclusion.  To  avoid  degenerate  solutions,  we  must  also  formalize  the  notion 
that  “it  should  be  possible  for  as  many  as  k  processes  to  be  simultaneously 
in  their  critical  sections.”  We  interpret  this  to  mean,  roughly,  that  if  fewer 
than  k  processes  are  in  their  critical  sections,  then  it  is  possible  for  another 
process  to  enter  its  critical  section,  even  though  no  process  leaves  its  criti¬ 
cal  section  in  the  meantime.  We  call  this  property  “avoiding  fc-deadlock” . 


Precise  definitions  of  these  properties  are  deferred  until  Section  3,  after  the 
algorithms  have  been  presented. 

A  trivial  generalization  of  a  binary  semaphore  yields  a  system  exhibiting 
Jb-exclusion  and  no  Jb-deadlock.  Assume  a  shared  variable,  COUNT,  which  at 
any  time  contains  the  correct  count  of  the  number  of  processes  currently  in 
their  critical  sections.  A  process  wanting  to  enter  its  critical  section  performs 
sm  atomic  transaction  on  COUNT  which,  in  one  indivisible  step,  reads  the 
value  of  COUNT,  increments  it  if  it  was  less  than  fc,  and  stores  back  the 
result.  The  process  then  proceeds  to  its  critical  section  if  it  saw  COUNT  less 
than  k,  and  it  loops  back  and  repeats  the  test  otherwise  (busy- waiting).  A 
process  leaving  its  critical  section  simply  decrements  COUNT. 

This  algorithm  imposes  no  fairness  criteria  on  the  order  in  which  pro¬ 
cesses  enter  their  critical  sections,  and  in  fact  it  is  possible  that  an  individual 
process  will  always  find  the  critical  section  “full”  (i.  e.  COUNT  =  k)  when¬ 
ever  it  happens  to  examine  COUNT  and  therefore  will  be  “locked  out”  of  its 
critical  section  forever. 

Rather  than  devise  new  algorithms  for  the  k-critical  section  problem  with 
stronger  fairness  conditions,  an  obvious  approach  is  to  try  to  reduce  the  k- 
critical  section  problem  to  the  l-critical  section  problem  and  then  apply 
known  solutions  to  the  latter  problem,  e.g.  [BJLFP82),  jCH75),  JCHTS), 
(CH79),  {Lam74).  Such  a  hybrid  solution  is  commonly  used  in  banks  for 
scheduling  people  waiting  for  a  teller.  People  entering  the  bank  line  up  in  a 
single  queue.  When  one  or  more  tellers  become  available,  the  person  at  the 
head  of  the  queue  goes  to  any  free  teller. 

To  see  the  reduction  that  is  illustrated  by  this  simple  example,  think 
of  the  position  at  the  head  of  the  queue  as  a  “resource” .  Only  one  person 
has  this  resource  at  a  time,  and  the  queue  itself  serves  to  allocate  that 
resource  in  first-in-first-out  (FIFO)  order.  Only  the  person  holding  the  head- 
of-queue  resource  is  permitted  to  go  to  a  teller,  so  the  order  of  service  by  a 
teller  is  “essentially”  FIFO,  modulo  possible  delay  between  leaving  the  head 
of  the  queue  and  arriving  at  a  teller*.  Such  a  reduction  is  possible  given 
any  l-critical  section  solution,  and  the  number  of  values  of  shared  memory 
increases  by  only  a  factor  of  (k  -f  1). 

The  bank  algorithm  has  a  rather  subtle  defect  which  becomes  apparent 
when  several  tellers  become  simultaneously  free.  If  k  >  2  tellers  are  free,  one 

'By  running,  a  person  might  actually  arrive  at  a  teller  before  another  who  was  ahead 
of  him  in  the  queue.  Nevertheless,  we  consider  this  to  be  a  reasonable  approximation 
of  what  people  mean  by  FIFO  since  once  one  arrives  at  the  front  of  the  queue,  one  no 
longer  has  to  wait  for  others. 


would  like  the  first  k  people  in  line  to  ail  move  “simultaneously”  to  a  teller, 
yet  the  algorithm  requires  them  to  file  past  the  head  of  the  queue  one  at  a 
time.  If  the  person  at  the  front  of  the  line  is  slow,  the  k  -  I  people  behind 
him  are  forced  to  wait  unnecessarily.  In  fact,  if  the  person  at  the  front  of  the 
line  “fails”,  then  the  people  behind  him  wait  forever  and  the  system  stops 
functioning.  In  this  case,  one  failure  can  tie  up  all  of  the  system’s  resources! 

We  are  thus  led  to  generaJize  our  requirements  to  include  controlling  the 
degradation  of  processing  in  the  event  that  a  limited  number  of  processes 
fail  during  the  execution  of  their  protocols. 

Our  notion  of  “failure”  is  quite  different  from  the  “shutdown”  considered 
in  (RP761  and  {PF77|.  Unlike  a  pro  'ss  which  shuts  down,  a  failed  process 
does  not  announce  to  the  world  that  it  has  failed.  Rather,  we  say  a  process 
fails  if  there  is  a  time  after  which  it  executes  no  more  steps  of  its  program. 
To  distinguish  a  failed  process  from  a  correct  one  that  is  merely  running  very 
slowly,  one  must  look  infinitely  far  into  the  future  and  determine  that  it  never 
takes  another  step.  Thus,  other  processes  have  no  way  of  distinguishing  a 
failed  process  from  a  correct  one  in  a  finite  amount  of  time.  (In  particular, 
timeouts  won't  work  since  we  make  no  assumptions  about  the  relative  speeds 
of  processes.) 

Our  interest  in  this  kind  of  failure  stems  partly  from  the  praictical  prob¬ 
lems  of  building  fault-tolerant  distributed  systems  and  partly  from  the  de¬ 
sire  to  understand  the  dependencies  among  processes  competing  for  entry 
to  their  critical  sections.  Each  instance  of  one  process  waiting  for  another 
indicates  a  lack  of  concurrency  in  the  whole  solution.  Taken  together,  these 
dependencies  tend  to  cause  the  whole  system  to  run  at  the  speed  of  the 
slowest  process.  Algorithms  which  continue  to  operate  correctly  even  when 
a  limited  number  of  processes  fail  cannot  exhibit  such  simple  dependencies. 
For  example,  if  process  A  waits  for  process  B  to  take  some  action  and  pro¬ 
cess  B  were  to  fail,  then  process  A  would  wait  forever  and  make  no  further 
progress  toward  its  goal.  Hence,  B's  failure  would  cause  the  whole  system 
to  fail  by  locking  out  A.  Insisting  that  algorithms  be  robust  in  the  face 
of  a  certain  amount  of  failure  gives  us  a  formal  way  of  studying  degrees 
of  concurrency  which  in  turn  have  implications  for  the  running  time  of  the 
system. 

At  first  sight,  the  concepts  of  robustness  and  fairness,  say  FIFO  order¬ 
ing,  appear  to  be  contradictory.  Robustness  says,  for  example,  that  if  one 
process  fails  in  its  trying  protocol,  the  system  must  continue  to  function.  In 
particular,  other  processes  which  enter  their  trying  protocols  after  the  fadled 
one  will  necessarily  enter  their  critical  sections  ahead  of  it.  Since  the  appar- 
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ently  failed  process  might  actually  be  correct  but  slow,  robustness  implies  a 
violation  of  the  usual  definition  of  FIFO  ordering. 

The  problem  is  circumvented  by  defining  the  fairness  conditions  not  in 
terms  of  the  order  in  which  processes  enter  their  critical  sections  but  rather 
by  the  order  in  which  they  become  “enabled”  to  enter  their  critical  sections. 
By  enabled,  we  mean  that  a  process  no  longer  needs  to  wait  for  action  by  any 
other  process  before  it  can  go  into  its  critical  section,  nor  can  the  actions 
or  inactions  of  other  processes  prevent  it  from  so  doing.  Intuitively,  when 
a  process  becomes  enabled,  a  copy  of  the  resource  is  reserved  for  it,  and 
actions  of  other  processes  are  no  longer  needed  in  order  for  the  given  pro¬ 
cess  to  complete  its  trying  protocol.  The  key  distinction  between  enabling 
and  actual  entry  to  the  critical  section  is  that  a  process  might  become  en¬ 
abled  passively  by  the  action  of  some  other  process  changing  shared  memory, 
whereas  entry  to  the  critical  section  can  take  place  only  by  a  positive  action 
of  the  given  process. 

In  this  paper,  we  describe  an  algorithm,  the  Colored  Ticket  Algorithm, 
for  solving  the  fc-critical  section  problem  which  is  robust,  enables  processes 
in  FIFO  order,  and  uses  0{N^)  values  of  shared  memory  for  fixed  k.  The 
algorithm  can  be  thought  of  as  a  distributed  implementation  of  a  queue,  for 
it  simulates  the  behavior  that  would  be  achieved  by  explicitly  storing  the 
entire  queue  of  waiting  processes  in  shared  memory,  but  it  uses  far  less  shared 
space  and  is  fast  and  simple  to  implement.  We  also  show  our  algorithm  to  be 
essentially  optimal  in  terms  of  the  amount  of  shared  memory  used  by  giving 
an  Q{N'^)  lower  bound  on  the  number  of  distinct  shared  memory  values  for 
any  robust  algorithm  which  so  simulates  a  queue. 

If  one  weakens  the  robustness  conditions  to  permit  lockout  to  occur  in 
case  more  than  a  prespecified  number  of  processes  fail,  then  more  space- 
economical  solutions  are  possible  [FLBB79].  However,  these  solutions  lack 
the  elegance  and  simplicity  of  the  Colored  Ticket  .-V-lgorithm  as  well  as  its 
time  efficiency.  If  one  ignores  robustness  altogether,  then  0[N)  values  suffice 
[LF831. 

The  main  technical  content  of  the  paper  is  contained  in  the  next  four 
sections.  The  Colored  Ticket  Algorithm  is  presented  in  Section  2.  Section  3 
presents  a  formal  model  of  computation  and  precise  definitions  of  properties 
which  characterize  the  fc-critical  section  problem.  Section  4  describes  how 
to  translate  the  Colored  Ticket  Algorithm  to  a  process  in  the  formal  model 
and  sketches  how  to  prove  that  it  solves  the  k-critical  section  problem  in 
small  shared  space.  Section  5  contains  the  lower  bound  proof  that  shows 
the  Colored  Ticket  Algorithm  to  be  space-optimal  (to  within  a  constant 
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2  fc-critical  Section  Algorithms 

In  this  section,  we  present  four  algorithms,  each  a  refinement  of  the  preced¬ 
ing,  the  last  of  which  is  the  Colored  Ticket  Algorithm.  The  algorithms  run 
in  an  environment  consisting  of  N  processes,  each  with  its  own  private  mem¬ 
ory,  and  a  common  shared  memory  (database)  through  which  the  processes 
communicate.  Access  to  the  shared  memory  is  via  atomic  transactions  that 
allow  a  process,  in  one  indivisible  step,  to  read  the  entire  contents  of  shared 
memory  and  modify  it  in  an  arbitrary  way,  depending  in  general  on  the  data 
just  read. 

We  specify  our  algorithms  and  the  transactions  they  use  in  a  Pascal-like 
language  augmented  with  two  new  statements  for  specifying  transactions, 
start  and  commit.  Statements  executed  dynamically  after  start  and  before 
the  next  commit  comprise  a  single  atomic  transaction.  While  it  is  possible 
in  this  language  to  write  transactions  of  unbounded  size  (for  example,  by 
executing  a  loop  between  start  and  commit),  the  transactions  we  actually 
use  are  all  bounded,  a  fact  that  is  important  for  the  implementation  in  terms 
of  “test-and-set”  instructions  which  we  give  in  Section  3. 

In  order  for  our  algorithms  to  have  the  desired  correctness  and  robustness 
properties,  we  make  two  assumptions  about  the  implementation  of  transac¬ 
tions; 

1.  A  process  crash  in  the  middle  of  a  transaction  does  not  cause  the  sys¬ 
tem  to  hang  and  leaves  the  shared  memory  as  it  was  before  beginning 
the  transaction. 

2.  The  system  never  aborts  transactions.  (Alternatively,  a  transaction 
that  is  retried  repeatedly  will  eventually  succeed.) 

While  these  assumptions  are  difficult  to  implement  exactly,  they  can  be 
approximated  in  real  systems,  so  we  believe  our  algorithms  will  be  useful  in 
practice. 

As  a  convenience,  we  use  the  construct  “wait  until  C”  as  an  abbreviation 
foi  “while  not  C  do  [commit;  start)” .  Thus,  every  time  around  the  wait  loop 
ends  one  transaction  and  begins  another. 

2.1  The  Queue  Algorithm 

We  first  describe  a  simple  but  inefficient  solution  to  the  fc-critical  section 
problem.  This  basic  algorithm,  the  Queue  Algorithm,  stores  the  entire  queue 
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of  waiting  and  critical  processes  in  the  shared  variable.  A  process  in  any  of 
the  first  k  positions  of  the  queue  is  permitted  to  enter  its  critical  section. 
This  algorithm  requires  no  communication  among  processes  other  than  that 
provided  by  the  queue  itself,  and  in  fact,  each  process  need  only  change 
shared  memory  at  the  moments  of  entry  to  the  trying  protocol  and  remainder 
section. 

In  the  code  given  in  Figure  1,  the  shared  memory  contains  a  single  queue 
which  admits  two  operations.  ENQUEUE  places  an  element  at  the  rear 
of  the  queue,  and  REMOVE  deletes  a  particular  element  from  the  queue, 
regardless  of  where  it  occurs.  Initially,  the  queue  is  empty. 


repeat  forever 
start; 

ENQUEUE(i); 

wait  until  i  is  in  one  of  the  first  k  positions  of  QUEUE; 
commit; 

{  Critical  Section  } 
start; 

REMOVE(t); 

commit; 

{  Remainder  Section  } 
end  repeat. 


Figure  1:  Queue  algorithm  (code  for  process  »). 

Note  that  many  transactions  might  be  e.xecuted  before  the  process 
reaches  its  critical  section  since  each  execution  of  the  wait  loop  ends  one 
transaction  and  begins  another.  However,  only  the  first  of  these  actually 
updates  shared  memory;  the  others  are  all  “read-only”. 

2.2  Ticket  Systems 

While  the  Queue  Algorithm  satisfies  all  the  correctness  properties  we  want, 
keeping  the  queue  in  shared  memory  requires  too  much  space  to  make  the 
algorithm  very  interesting.  Our  goal  is  to  find  an  algorithm  equivalent  to  the 


8 


V 


Queue  Algorithm  which  keeps  a  lot  less  information  in  the  shared  variable. 

In  other  words,  we  wish  to  devise  a  space-efficient  “distributed  simulation” 
of  the  Queue  Algorithm. 

All  of  our  remaining  algorithms  are  modeled  after  the  ticket  systems 
often  used  in  bakeries.  A  process  wishing  to  enter  its  critical  section  takes 
the  next  available  ticket  from  an  ordered  sequence  of  tickets  and  then  waits 
until  its  ticket  becomes  valid,  at  which  point  it  is  enabled  to  enter  its  critical 
section  and  proceeds  to  do  so  on  its  next  step.  When  it  leaves  its  critical 
section,  it  discards  its  ticket  and  validates  the  next  ticket  in  order,  thereby 
allowing  the  next  process  in  line  to  proceed.  (In  case  no  process  is  cur¬ 
rently  waiting,  the  next  ticket  is  nevertheless  validated,  and  when  a  process 
eventually  takes  that  validated  ticket,  it  will  proceed  directly  to  its  criti¬ 
cal  section.)  Once  a  ticket  becomes  valid,  it  remains  valid  until  discarded. 
Tickets  are  validated  in  the  same  order  as  they  are  issued,  and  at  any  time, 
exactly  k  (non-discarded)  tickets  are  valid,  some  of  which  may  not  have  yet 
been  issued. 

Since  every  process  in  its  critical  section  holds  a  valid  ticket,  A;-exclusion 
is  satisfied.  Since  tickets  are  validated  in  the  order  in  which  they  are  issued, 
processes  are  enabled  in  FIFO  order,  so  the  algorithm  satisfies  our  fairness 
condition.  Robustness  follows  since  a  process  does  not  modify  shared  mem¬ 
ory  from  the  time  it  enters  its  trying  protocol  until  the  time  it  returns  to  its 
remainder  section;  hence,  whether  or  not  it  is  alive  in  the  meantime  has  no 
effect  on  the  rest  of  the  system. 

Any  such  ticket  algorithm  simulates  the  Queue  Algorithm  in  the  sense 
that  if  the  natural  correspondence  is  made  between  transactions  of  the  two 
algorithms  and  those  transactions  are  run  in  the  same  order,  then  processes 
enter  and  leave  their  critical  and  remainder  sections  in  exactly  the  same 
order  in  both.  Indeed,  the  simulated  queue  of  the  Queue  Algorithm  can 
be  obtained  by  arranging  the  processes  holding  tickets  in  increasing  order 
of  their  tickets.  Issuing  a  ticket  corresponds  to  adding  a  process  to  the 
end  of  the  queue,  and  discarding  a  ticket  together  with  validating  the  next 
corresponds  to  removing  a  process  from  the  queue.  The  k  valid  tickets 
always  correspond  to  the  first  k  positions  of  the  queue. 

Code  to  implement  this  basic  paradigm  is  shown  in  Figure  2.  Func¬ 
tion  TAKE_NEXT_TICKET  issues  the  next  available  ticket  and  return.*:  it  to 
the  calling  program.  Function  IS_VALID(T)  returns  a  Boolean  value  telling 
whether  or  not  the  ticket  T  is  valid.  Procedure  VALIDATE_NEXT_TICKET(r) 
discards  the  ticket  T  and  updates  shared  memory  so  as  to  cause  the  next 
invalid  ticket  in  sequence  to  become  valid.  In  order  to  fully  specify  a  ticket 
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algorithm,  one  must  specify  these  three  subroutines. 


local  variable  TICKET; 
repeat  forever 
start; 

TICKET  :=  TAKE_NEXT_TICKET; 
wait  until  IS.VALID (TICKET); 
commit; 

{  Critical  Section  } 
start; 

VALID  ATE_NEXT_TICKET  (TICKET) ; 
commit; 

{  Remainder  Section  }; 
end  repeat. 


Figure  2:  Basic  ticket  algorithm  (code  for  process  t). 


2.3  The  Numbered  Ticket  Algorithm 

The  first  ticket  system  we  present,  the  Numbered  Ticket  Algorithm,  uses  an 
infinite  number  of  values  and  hence  requires  an  unbounded  amount  of  shared 
memory  for  its  implementation.  The  Colored  Ticket  algorithm,  which  uses 
only  finite  shared  memory,  is  then  described  as  two  further  modifications  of 
this  algorithm. 

In  the  Numbered  Ticket  Algorithm,  tickets  are  natural  numbers  in  their 
usual  order.  The  algorithm  maintains  two  variables  in  shared  memory. 
ISSUE  holds  the  most  recently  issued  ticket,  and  VALID  holds  the  most 
recently  validated  ticket.  Initially  ISSUE  =  0  and  VALID  =  k.  An  entering 
process  takes  a  ticket  by  incrementing  ISSUE  and  using  the  variable’s  new 
value  as  its  ticket  number.  Ticket  number  t  is  valid  whenever  VALID  >  t; 
hence,  any  process  can  determine  by  looking  in  shared  memory  whether  or 
not  its  ticket  is  valid.  A  process  returning  to  its  remainder  section  discards 
its  ticket  and  increments  VALID. 


The  code  for  the  Numbered  Ticket  Algorithm  is  shown  in  Figures  2  and 
3.  The  initial  value  of  the  local  variable  TICKET  does  not  matter  to  the 
operation  of  the  algorithm. 


global  variable  ISSUE  =  0,  VALID  =  it; 

function  TAKE_NEXT_TICKET:  ticket; 
begin 

ISSUE  :=  ISSUE  +  1; 
return  ISSUE; 

end; 

function  IS_VALID(T):  Boolean 
begin 

return  (T  <  VALID) 

end; 

procedure  VALIDATE_NEXT_TICKET(r); 
begin 

VALID  :=  VALID  +  1; 

end; 


Figure  3:  Numbered  ticket  algorithm. 

The  drawback  to  the  Numbered  Ticket  Algorithm  is,  of  course,  that 
ISSUE  and  VALID  grow  without  bound. 

2.4  Colored  Ticket  Algorithms 

We  now  give  two  variations  of  the  Numbered  Ticket  Algorithm  based  on 
the  idea  of  colored  tickets,  the  second  of  which  is  the  final  Colored  Ticket 
Algorithm. 

In  the  previous  algorithm,  either  ISSUE  or  VALID  could  be  larger  than 
the  other,  and  we  say  the  larger  one  leads  the  smaller.  (In  case  of  equality, 
each  leads  the  other.)  However,  they  could  never  be  too  far  apart.  If  VALID 
leads  ISSUE,  then  there  are  VALID  —  ISSUE  valid  but  not-issued  tickets; 
hence 


VALID  -  ISSUE  <  k. 


>  > 


V 


If  ISSUE  leads  VALID,  then  all  k  valid  tickets  are  held  by  processes,  and 
there  are  ISSUE  -  VALID  invalid  tickets  ’  Id  by  processes  waiting  in  their 
trying  protocols.  Since  there  are  only  N  processes  in  all,  k  of  which  hold 
valid  tickets,  we  conclude  that 

ISSUE  -  VALID  <  N  -  k. 

Let  M  >  1  +  max(fc,iV  -  k).  Then  we  can  determine  which  variable 
leads  the  other  given  only  the  information: 

•  B=  ([VALID/A/J  =  [ISSUE/A/J) 

•  V  =  VALID  mod  M 

•  /  =  ISSUE  mod  M 

Namely,  if  B  =  true,  then  VALID  leads  ISSUE  iff  V  >  /,  and  if  B  =  false, 
then  VALID  leads  ISSUE  iff  V  <  /.*  Thus,  we  divide  the  tickets  into  blocks 
of  size  M.  B  is  true  iff  VALID  and  ISSUE  are  in  the  same  block;  V  and  I  are 
the  relative  positions  of  VALID  and  ISSUE  within  their  respective  blocks.  It 
is  easy  to  see  that  if  VALID  and  ISSUE  are  not  in  the  same  block,  then  they 
must  be  in  consecutive  blocks,  and  the  condition  on  M  insures  that  which 
block  leads  which  can  be  determined  by  comparing  V  and  I. 

The  colored  ticket  algorithms  replace  numbered  tickets  by  colored  tickets 
that  consist  of  ordered  pairs  T  =  (t»c),  where  t,  the  value  of  T,  is  a  number 
between  0  and  M  ~  I  indicating  the  position  of  the  ticket  within  the  block, 
and  c,  the  color  of  T,  is  a  non-negative  integer  indicating  the  block  that 
contains  the  ticket.  We  write  T. VALUE  and  T. COLOR  to  denote  the  two 
components  of  T.  There  is  a  natural  one-to-one  correspondence  V;  between 
numbered  ticket  t  and  colored  ticket  (i  mod  Af,  [t/AfJ).  Using  this  corre¬ 
spondence,  a  process  can  determine  for  colored  tickets  whether  VALID  leads 
ISSUE  without  using  the  ordering  on  colors  by  computing: 

•  B  ;=  (VALID.COLOR  =  ISSUE.COLOR) 

•  V  :=  VALID.VALUE 

•  I  :=  ISSUE. VALUE 

*ln  case  it  /  N  —  fc,  we  can  actually  take  A/  =  max(l:,  N  —  k)  and  adjust  the  conditions 

appropriately. 
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and  then  applying  the  above  remarks.  It  also  follows  from  the  above  remarks 
that  (VALID.COLOR  -  ISSUE.COLOR(  <  1. 

Now,  a  process  can  easily  determine  whether  or  not  a  ticket  T  that  it 
holds  is  valid.  T  is  always  valid  if  its  color  differs  from  both  VALID.COLOR 
and  ISSUE.COLOR,  for  then  its  color  must  be  less  than  both.  If  T's  color  is 
the  same  as  VALID.COLOR,  then  T  is  valid  iff  T. VALUE  <  VALID.VALUE. 
Finally,  if  T’s  color  is  the  same  as  ISSUE.COLOR  but  different  from 
VALID.COLOR,  then  T  is  valid  iff  VALID  leads  ISSUE.  Using  these  ideas, 
the  function  IS_VALID  can  be  defined  as  in  Figure  4. 

function  LEADS(A,  B):  Boolean;  {  Testa  if  A  leads  D  } 
begin 

if  A.COLOR  =  B.COLOR  then 

return  (A.VALUE  >  B. VALUE) 

else 

return  (A.VALUE  <  B.VALUE); 

end; 

function  IS_VALID(T):  Boolean; 
begin 

if  r.COLOR  =  VALID.COLOR  then 
return  (T. VALUE  <  VALID.VALUE) 
else  if  r.COLOR  =  ISSUE.COLOR  then 
return  LEADS(VALID,  ISSUE) 

else 

return  true; 

end; 

Figure  4:  Validity  testing  functions  for  colored  tickets. 


Unbounded  Colored  Ticket  Algorithm  We  complete  the  Unbounded 
Colored  Ticket  Algorithm  by  exhibiting  in  Figure  5  the  definitions  for 
the  ticket  issuing  and  validating  functions.  Initially,  ISSUE  =  (0,0)  and 
VALID  =  (it,0). 

The  Unbounded  Colored  Ticket  Algorithm  simulates  the  Numbered 
Ticket  Algorithm  using  the  correspondence  between  numbered  tickets  and 


UP.  I'l'V  P, 


constant  M  =  1  +  max{k,N  -  k); 

global  variable  ISSUE  =  (0,0),  VALID  =  (Ar,0) 

function  TAKE_NEXT_TICKET:  ticket; 
begin 

if  ISSUE. VALUE  <  M  -  I  then 

ISSUE. VALUE  :=  ISSUE. VALUE  +  1 
else  begin 

ISSUE. VALUE  :=  0; 

ISSUE.COLOR  :=  ISSUE.COLOR+  1; 
end; 

return  ISSUE; 

end; 

procedure  VALIDATE_NEXT_TICKET{T); 
begin 

if  VALID.VALUE  <  M  -  1  then 

VALID.VALUE  :=  VALID.VALUE  +  1 
else  begin 

VALID.VALUE  :=  0; 

VALID.COLOR  ;=  VALID.COLOR  +  1; 
end; 


Figure  5:  Unbounded  colored  ticket  algorithm. 
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colored  tickets  given  above.  Thus,  we  have  bounded  the  set  of  ticket  “val¬ 
ues”  at  the  cost  of  introducing  an  unbounded  set  of  “colors” .  It  may  appear 
that  no  progress  has  been  made,  but  the  algorithm  paves  the  way  for  the 
final  modification  which  yields  the  space-efficient  Colored  Ticket  Algorithm. 

Colored  Ticket  Algorithm  We  now  present  the  main  contribution  of 
the  paper,  the  Colored  Ticket  Algorithm.  Like  the  previous  algorithms,  it 
simulates  the  Queue  Algorithm,  but  it  b  very  space  efficient,  requiring  only 
0  {N^)  values  of  shared  memory.  It  b  obtained  by  modifying  the  Unbounded 
Colored  Ticket  Algorithm  so  that  only  k  +  I  different  colors  are  used.  This 
requires  that  tickets  (and  colors)  be  reused. 

The  change  from  the  unbounded  version  of  the  algorithm  comes  when 
ISSUE.COLOR  or  VALID.COLOR  b  to  be  incremented.  The  new  algorithm 
instead  considers  two  cases.  If  the  leading  pointer  (ISSUE  or  VALID)  is  being 
incremented,  then  a  new  color  is  chosen  that  is  different  from  the  color  of 
any  currently  issued  or  validated  ticket  and  different  from  the  color  of  the 
other  pointer.  This  insures  that  no  two  processes  ever  simultaneously  hold 
the  same  ticket.  If  the  trailing  pointer  is  being  incremented,  then  it  is  set 
equal  to  the  color  of  the  leading  pointer.  That  this  is  correct  follows  from 
the  fact  that  the  pointers  (in  the  Numbered  Ticket  Algorithm)  never  differ 
by  more  than  M. 

To  see  that  it  is  always  possible  to  select  a  new  color  when  needed,  we 
show  (for  the  Unbounded  algorithm)  that  every  color  in  use  at  the  time  a 
new  color  is  needed  is  the  same  as  the  color  of  some  valid  ticket;  hence, 
at  most  k  colors  are  then  in  use.  A  color  is  in  use  if  it  is  the  color  of 
a  valid  or  issued  ticket  that  has  not  been  discarded,  or  if  it  is  equal  to 
VALID.COLOR  or  ISSUE.COLOR.  Note  that  in  the  exit  protocol,  a  new 
ticket  is  validated  immediately  before  the  old  one  is  discarded,  so  except  for 
the  brief  moment  between  validating  the  new  ticket  and  discarding  the  old 
one,  exactly  k  tickets  are  valid,  the  most  recently  validated  ticket  T  is  still 
valid,  and  VALID.COLOR  =  T.COLOR.  Hence,  VALID.COLOR  is  always  the 
color  of  one  of  the  k  valid  tickets,  so  it  suffices  to  show  that  when  a  new 
color  b  needed,  both  ISSUE.COLOR  and  the  colors  of  all  issued  but  not  yet 
validated  tickets  are  the  same  as  VALID.COLOR. 

There  are  two  cases.  If  a  new  color  is  needed  because  VALID  is  about 
to  be  incremented,  then  VALID. VALUE  =  \I  -  1,  VALID  leads  ISSUE,  and 
a  process  is  in  its  exit  protocol  attempting  to  validate  a  new  ticket.  Then 
ISSUE.COLOR  =  VALID.COLOR  since  v"'(VALlD)  -  U’-'(ISSUE)  <  k  < 
M  -  1.  Since  there  are  no  issued  but  not  validated  tickets,  the  only  colors 


in  use  are  those  belonging  to  the  k  valid  tickets. 

On  the  other  hand,  if  a  new  color  is  needed  because  ISSUE  is  about  to 
be  incremented,  then  ISSUE.VALUE  =  Af  -  1,  ISSUE  leads  VALID,  and  a 
ticket  is  abbut  to  be  issued  to  an  entering  process.  Again,  ISSUE.COLOR  = 
VALID.COLOR,  for  (ISSUE) -V'"* (VALID)  <  N-k<  A/- 1.®  Moreover, 
any  outstanding  invalid  tickets  lie  between  VALID  and  ISSUE,  so  they  also 
have  color  VALID.COLOR.  Again,  the  only  colors  in  use  are  those  belonging 
to  the  k  valid  tickets. 

We  conclude  that  with  /:  + 1  colors  altogether,  there  is  always  a  free  color 
whenever  a  new  one  is  needed. 

To  permit  a  process  to  determine  which  color  is  free,  we  introduce  an 
array  QUANT  of  length  k  +  I  into  the  shared  variable,  where  QUANT(c)  6 
{0, 1,. . . gives  the  number  of  valid  tickets  of  color  c.  There  are  exactly 
k  valid  tickets,  so  the  total  number  of  different  values  for  the  QUANT  array 
is  the  number  of  partitions  of  k  into  k  +  I  sets,  or  While  this  number 
is  exponential  in  k,  it  is  independent  of  N.  QUANT  is  updated  whenever  a 
ticket  is  discarded  and  a  new  one  is  validated. 

The  code  for  finding  a  new  color  is  shown  in  Figure  6.  It  simply  scans 
for  a  color  with  QUANT  =  0. 

function  NEW_COLOR;  integer;  {  Returns  unused  color  } 

local  variable  C; 

begin 

C  :=  0; 

while  QUANT(C)  >  0  do  C  :=  C  +  1; 
return  C 

end; 

Figure  6:  Find  unused  color  function  (used  by  colored  ticket  algorithm). 

The  final  algorithm  is  contained  in  Figures  2,  4,  6  and  7.  Initially, 
ISSUE  =  (0,0)  and  VALID  =  (A:,0). 

This  algorithm  simulates  the  Unbounded  Colored  Ticket  Algorithm.  To 
prove  this,  one  shows  that  any  two  issued  or  validated  (and  not  discarded) 
tickets  T  and  T'  have  the  same  color  in  this  algorithm  iff  they  have  the  same 

^Actually,  0“' (ISSUE)  -  ^“‘(VALID)  <  N  —  k—\  since  the  entering  process  does  not 
yet  hold  a  ticket,  but  we  do  not  make  use  of  this  fact. 


constant  M  =  1  +  max{k,  N  —  k); 

global  variable  ISSUE  =  (0,0),  VALID  =  (Jk,0),  QUANT[0], . . .  ,QUANTlA:)  =  0; 

function  TAKE_NEXT_TICKET:  ticket; 
begin 

if  ISSUE.VALUE  <  M  -  1  then 

ISSUE. VALUE  :=  ISSUE.VALUE  +  1 
else  begin 

if  LEADS(ISSUE,  VALID)  then 

ISSUE.COLOR  :=  NEW_COLOR 
else 

ISSUE.COLOR  :=  VALID.COLOR; 

ISSUE.VALUE  :=  0 
end; 

return  ISSUE; 

end; 

procedure  VALIDATE_NEXT_TICKET(r); 
begin 

if  VALID.VALUE  <  M  -  1  then 

VALID.VALUE  :=  VALID.VALUE  +  1 
else  begin 

if  LEADS(VALID,  ISSUE)  then 

VALID.COLOR  :=  NEW_COLOR 
else 

VALID.COLOR  :=  ISSUE.COLOR; 

VALID.VALUE  ~  0 
end; 

{  Update  quantity  information.  } 

QUANT(VALID.COLOR)  ;=  QUANT(VALID.COLOR)  +  1; 

QUANT (T.COLOR)  :=  QUANT(T.COLOR)  -  1; 

end; 


Figure  7:  Colored  ticket  algorithm. 


color  in  the  Unbounded  algorithm;  hence,  the  two  algorithms  always  make 
the  same  decisions.  We  leave  the  details  to  the  reader. 

The  total  number  of  shared  memory  values  needed  by  the  Colored  Ticket 
Algorithm  b  the  product  of  the  number  of  values  assumed  by  QUANT, 
ISSUE,  and  VAMD.  This  works  out  to  C^){{k  +  1)M)*  =  Q(iV*)  as  de¬ 
sired,  since  M  —  0{N). 


3  A  Formal  Model  for  Systems  of  Processes 

We  now  present  a  formal  model  of  computation  and  state  the  conditions 
that  define  the  ib-critical  section  problem.  The  model  is  derived  from  that 
of  [BJLFP82].  It  can  also  be  regarded  as  a  special  case  of  the  general  model 
of  [LFSl]. 

3.1  Processes  and  Systems 
A  process  is  a  quadruple  P  =  {V^Xy6,Z),  where 

•  V  is  a  set  of  values  for  a  shared  variable, 

•  X  is  a  (not  necessarily  finite)  set  of  process  states, 

•  6  is  a  total  function  from  V  x  X  to  V  x  X,  the  transition  function, 
and 

•  is  a  total  function  from  X  to  {R,T,C,E},  the  region  function. 

Assume  process  P  is  in  state  x  and  the  shared  memory  has  value  v.  A  step 
of  P  changes  the  state  to  s'  and  the  shared  memory  to  v',  where  (v',x')  = 
6(w,a:). 

For  a  state  x  €  X,  J?(x)  gives  the  region  of  x,  where  R  denotes  the 
remainder  region,  T  the  trying  region,  C  the  critical  region  and  E  the  exit 
region.  We  assume  that  6  respects  Z  as  follows.  For  every  (v,  i)  6  V  x  X: 

1.  ^(x)  €  implies  Z{6[y,x))  €  {T,C},  and 

2.  Z(x)  €  {C,E}  implies  ;?(d(u,x))  €  {E,R}. 

The  allowed  transitions  are  indicated  in  Figure  8.  The  transitions  out  of 
R  and  T  comprise  the  trying  protocol,  and  the  transitions  out  of  C  and  E 
comprise  the  exit  protocol.^  We  “abstract  away”  the  steps  comprising  the 
critical  and  remainder  sections  treating  only  the  protocols  explicitly;  hence 
the  absence  of  self-loops  on  R  and  C.  Thus,  the  next  step  of  a  process  in  R 
takes  it  out  of  R,  and  similarly  for  C. 

*Oar  formal  model  imposes  a  slight  restriction  on  the  form  of  protocols  in  that  all 
transitions  leaving  a  state  of  the  trying  region  must  belong  to  the  trying  protocol  (and 
similarly  for  the  exit  region  and  protocol).  Thus,  a  process,  once  permitted  to  begin 
its  critical  section,  must  first  take  a  step  to  leave  the  trying  region  before  it  begins 
executing  steps  of  its  critical  section,  and  the  step  which  takes  it  out  of  the  trying 
region  is  considered  to  be  a  part  of  the  trying  protocol.  This  restriction  is  for  technical 
convenience  only  and  does  not  weaken  the  results,  for  any  protocol  can  be  easily  put 
into  this  form  by  adding  dummy  steps  to  the  ends  of  the  trying  and  exit  protocols. 


Figure  8:  Possible  region  changes. 


For  a  natural  number  N,  let  [iV)  denote  A  system  S  of  N 

processes  is  a  collection  of  processes  Pi  =  1  <  i  <  iV,  all 

having  the  same  shared  variable  V. 

An  instantaneous  description  (i.d.)  q  of  S  is  a,  snapshot  of  the  configura¬ 
tion  of  5  and  completely  determines  S’s  possible  future  behaviors.  Formally, 
q  is  an  (yV-bl)-tuple  (u,  ii, . . .  where  v  €  V  is  the  contents  of  the  shared 
variable  and  i,  €  Xi,  I  <  i  <  N,  are  the  states  of  the  N  processes.  We 
denote  v  by  V{q)  and  by  Xi(q),  I  <  i  <  N. 

The  functions  6,  and  Zi  of  the  individual  processes  are  naturally  ex¬ 
tended  to  functions  on  the  set  of  i.d.’s  of  5  by  defining 

6,  (v,  Z] , .  .  .  ,  Xfi  )  =  (u  ,  Xj , .  .  .  ,  X,’_| ,  X  ,  Xi+l ,  .  .  .  ,  Xfi/ ) 

where  {v',x')  =  6,(t;,x,),  and 

lJ,(v,x,,...,iAr)  =  lJ,(x,). 

A  schedule  h  for  S  is  any  finite  or  infinite  sequence  of  elements  of 
A  schedule  describes  the  interleaving  of  process  steps  in  a  particular  “run” 
of  the  system.  Since  the  processes  are  deterministic,  the  entire  run  is  deter¬ 
mined  by  the  starting  i.d.  q  of  the  system  and  a  schedule  h.  Formally,  the 


-  - 


run  determined  by  q  and  h  =  /»i,/ij,...  is  the  finite  or  infinite  sequence  of 
i.d.’s  Q{q,h)  =  qo,qi,q2,...  such  that: 

1.  If  h  is  infinite  then  Q(q,h)  is  infinite,  and  if  h  is  finite  then  |Q(<7,h)|  = 

\h\  +  l. 


2.  qo  =  q. 

3.  If  9i-i,9,  are  successive  elements  of  Q(?,h),  then  9,  =  6/i.(g,_i). 

If  Q{q,h)  is  finite,  then  the  last  i.d.,  q,,  is  the  result  of  Q(q,h),  and  we 
denote  q,  by  6(q,h)t  extending  6  once  again.  I.d.  q'  is  reachable  from  q  via 
h  provided  6{q,h)  =  q\  and  q'  is  reachable  from  q  if  q'  is  accessible  from  q 
via  some  finite  schedule  h. 

3.2  Equivalence  of  Systems 

Let  5  and  S'  be  systems  of  N  processes,  with  q  and  q'  i.d.’s  of  S  and  S' 
respectively.  We  say  that  {S,q)  and  (S',q')  are  equivalent  if  for  every  finite 
schedule  h,  all  processes  are  in  the  same  regions  in  6{q,h)  and  S'{q',h);  that 
is,  for  every  i  €  (A^),  =  ^J(y(g',h)). 

3.3  Dependencies  Among  Processes 

We  have  noted  that  processes  are  always  free  to  leave  their  remainder  or 
critical  regions  on  their  own,  but  the  same  is  not  true  for  the  trying  and 
exit  regions.  We  next  give  some  important  definitions  that  describe  possible 
dependencies  among  processes  progressing  through  their  regions. 

Let  Z  denote  any  region.  A  process  Pi  in  a  system  of  processes  is  Z- 
enabled  in  i.d.  q  if  for  every  schedule  Tl  in  which  i  occurs  infinitely  often, 
there  is  a  finite  prefix  h  of  h  such  that  Zi{6(q,h))  =  Z.  Thus,  the  Z-enabled 
i.d.’s  are  those  in  which  a  process  is  either  already  in  Z  or  will  eventually 
enter  Z  if  it  takes  infinitely  many  steps,  no  matter  what  the  other  processes 
do.  Note  that  a  process  P,  can  become  Z-enabled  because  of  its  own  actions 
or  because  of  actions  of  other  processes.  A  Z-enabled  process  can  be  thought 
of  as  passively  belonging  to  region  Z. 

We  say  that  P,  is  T- waiting  in  q  if  it  is  in  T  but  is  not  C-enabled  in  q. 
Similarly,  we  say  that  P,  is  E- waiting  in  q  if  it  is  in  E  but  is  not  P-enabled 
in  q. 
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3.4  Properties  of  Systems 

We  now  state  the  properties  that  define  the  fc-critical  section  problem. 
Throughout  this  section,  S  denotes  a  system  of  N  processes,  q  an  i.d.  of 
S,  k  <  N  a.  natural  number,  and  i^Y  the  cardinality  of  the  set  Y. 

Our  first  condition  is  the  basic  /;-exclusion  condition. 

•  A;-Exclusion.  I.d.  q  satisfies  k-excluaion  if  #{»  6  [iV]  |  Zi{q)  =  C)  < 
k.  S  satisfies  k-exclusion  from  q  if  every  i.d.  reachable  from  9  in  S 
satisfies  A:-exclusion. 

Note  that  any  set  of  processes  that  are  C-enabled  but  not  in  C  can,  by 
taking  steps  on  their  own,  reach  an  i.d.  in  which  all  are  simultaneously  in  C. 
Thus,  if  S  satisfies  /:-exclusion  from  9,  the  number  of  C-enabled  processes 
in  any  i.d.  reachable  from  q  is  at  most  k. 

Our  second  condition  describes  our  robustness  requirements.  We  say 
that  i.d.  q  is  k-full  if  #{»  €  [N^j  (  P,  is  C-enabled  in  9}  >  k.  We  say  that  a 
process  P,  makes  progress  in  a  run  if,  for  some  pair  of  i.d.’s  q'  and  q"  in  the 
run,  either 

1.  Zi{q')^Z.{q"),or 

2.  Pi  is  T-waiting  in  q'  but  not  in  q",  or 

3.  P,  is  E-waiting  in  7'  but  not  in  q". 

•  Avoidance  of  A:-Deadlock.  An  infinite  schedule  h  exhibits  fc- 
deadlock  from  q  if  no  process  makes  progress  in  the  run  Q(q,h),  and 
either 

1.  some  process  is  T-waiting  in  q  and  q  is  not  fc-full,  or 

2.  some  process  is  E-waiting  in  7.® 

5  avoids  k-deadlock  from  7  if  no  infinite  schedule  exhibits  fc-deadlock 
from  any  i.d.  reachable  from  7. 

®Intuitively,  a  schedule  exhibits  fc-deadlock  if  some  process  “wants”  to  make  progress 
and  progress  is  possible,  but  no  process  actually  does  make  progress.  At  first  sight, 
it  might  seem  necessary  to  exclude  failed  processes  from  consideration  in  the  formal 
definition,  for  we  do  not  consider  that  progress  is  possible  for  failed  processes.  However, 
it  is  unnecessary  to  distinguish  between  failed  and  non-failed  processes  because  our 
convention  of  no  self-loops  on  R  and  C  implies  that  every  non-failed  process  “wants" 
to  make  progress  (since  it  cannot  continue  taking  steps  and  remain  in  or  C),  and  at 
least  one  process  is  non-failed  in  every  infinite  schedule. 


Our  third  and  final  condition  describes  the  fairness  property,  FIFO  en¬ 
abling.  Intuitively,  violation  of  FIFO  enabling  occurs  if  a  process  remains 
T-waiting  while  another  process,  beginning  in  its  remainder  region,  becomes 
C-enabled.  Similarly,  a  violation  occurs  if  a  process  remains  ^-waiting  while 
another  process,  beginning  in  its  critical  region,  becomes  i?-enabled.  For¬ 
mally,  let  q  be  an  i.d.  and  h  a  finite  schedule.  We  say  Py  overtakes  Pi  in 
Q{q,h)  if  P,  is  T-waiting  in  all  i.d.’s  of  Q(g,h),  Zj{q)  =  R,  and  Py  is  C- 
enabled  in  6{q,h),  or  if  P,  is  E-waiting  in  all  i.d.’s  of  Q(q,h),  Zj{q)  =  C, 
and  Pj  is  P-enabled  in  6{q,h). 

•  FIFO  Enabling.  S  achieves  FIFO  enabling  from  q  if  for  all  q'  reach¬ 
able  from  q,  all  finite  schedules  ft,  and  all  i,j  €  [A^],  Py  does  not 
overtake  P,  in  Q(q',k}. 

The  Problem  Let  q  be  an  i.d.  with  every  process  in  its  remainder  region. 
A  system  5  solves  the  k-critical  section  problem  starting  from  q  if  it  satisfies 
fc-exclusion,  avoids  A;-deadlock,  and  achieves  FIFO  enabling  from  q. 


4  Upper  Bound 


The  Colored  Ticket  Algorithm,  when  translated  into  the  formalism  of  our 
model,  shows  that  the  k-critical  section  problem  can  be  solved  by  a  system 
S  that  uses  only  0  {N^)  values  of  shared  memory. 

The  translation  requires  a  few  comments.  The  transactions  used  in  the 
algorithm  make  several  accesses  to  the  shared  global  variables,  change  inter¬ 
nal  variables,  and  branch  to  one  of  several  possible  exits  depending  on  the 
values  in  shared  and  private  memory  at  the  start  of  the  transaction.  In  our 
formal  model,  each  transaction  becomes  a  single  process  step.  The  program 
counter  and  all  internal  storage  of  a  process  is  represented  by  the  state  x, 
and  the  entire  contents  of  the  global  variables  is  represented  by  the  value  v 
of  the  shared  variable.  To  construct  the  value  (t/,x')  of  the  transition  func¬ 
tion  6{v,x),  if  the  program  counter  in  x  points  to  a  start  instruction,  then 
run  the  algorithm  until  it  encounters  a  commit  statement,  and  move  the 
program  counter  past  the  commit,  x'  is  the  state  and  v'  the  shared  memory 
contents  that  results.  If  a  commit  is  never  reached,  or  if  the  program  counter 
in  X  does  not  point  to  a  start  instruction,  then  £(v,x)  is  defined  arbitrarily. 
This  translation  is  not  fully  general,  but  it  is  adequate  for  algorithms  such 
as  ours  in  which  every  transaction  terminates,  and  the  next  instruction  to 
be  executed  after  a  commit  is  always  a  start. 

Theorem  4.1  The  Colored  Ticket  Algorithm,  when  translated  into  the  for¬ 
mal  model  as  described  above,  solves  the  k-critical  section  problem  and  uses 
{k  -t-  +  max{k,N  -  k))^  =  0{N^)  values  of  shared  memory. 

A  formal  proof  can  be  constructed  following  the  development  given  in 
Section  2.  Namely,  one  first  proves  that  the  Queue  Algorithm  solves  the  k- 
critical  section  problem.  Next  one  shows  that  each  of  the  three  successively- 
presented  algorithms  is  equivalent  to  the  preceding  in  the  sense  formally 
defined  in  Section  3.2.  Finally,  one  applies  the  following  lemma,  whose 
proof  is  straightforward. 

Lemma  4.2  Assume  {S,q)  is  equivalent  to  (S',q').  If  S  satisfies  the  k- 
critical  section  problem  from  q,  then  S'  satisfies  the  k-critical  section  problem 
from  q'. 
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5  Lower  Bound 


In  this  section,  we  establish  a  lower  bound  on  the  size  of  the  shared  variable 
of  any  system  of  processes  that  solves  the  Ar-critical  section  problem.  We 
assume  throughout  that  k  and  N  are  natural  numbers  with  N  >  k  +  2,  5  is 
a  system  of  N  processes,  and  go  is  aji  i.d.  with  every  process  in  its  remainder 
region  such  that  5  solves  the  A;-critical  section  problem  from  go- 

Our  method  of  proof  is  to  construct  a  collection  of  runs  and  show  that 
each  leaves  the  shared  variable  in  a  distinct  state.  In  order  to  carry  out  the 
construction,  we  need  several  “liveness'’  lemmas  that  show  certain  kinds  of 
progress  are  always  possible. 

5.1  Progress  Lemmas 

We  begin  with  some  basic  properties  which  follow  from  the  fact  that  5 
solves  the  k-critical  section  problem.  FIFO  enabling  places  rather  severe 
constraints  on  the  order  in  which  processes  can  become  C-enabled,  which 
are  expressed  by  the  relation  -<,  that  we  next  define. 

Consider  any  i.d.  g  and  processes  Pi  and  Pj.  We  define  »  j  to  hold 
precisely  if  one  of  the  following  conditions  holds  at  g; 

1.  P;  is  C<enabled  and  Pj  is  in  Eu  R-, 

2.  Pi  is  C-enabled  and  Pj  is  T-waiting; 

3.  Pi  is  T-waiting  and  Pj  is  in  U  R; 

4.  Pi  and  Pj  are  both  T-waiting,  and  in  some  run  leading  from  go  to  g. 
Pi  last  entered  T  before  Pj  did. 

We  also  define  ahead/ (g)  =  {«  6  [iVj  |  i  j}.  The  ordering  -<,  is  illustrated 
in  Figure  9.^ 

The  first  lemma  says  that  the  order  in  which  processes  become  C-enabled 
from  g  respects  -<f. 

Lemma  5.1  Let  q  be  reachable  from  go,  and  let  i  -<,  j.  Let  h  be  a  finite 
schedule  such  that  Pj  is  C-enabled  in  6{q,h).  Then  Pi  is  C-enabled  in  some 
i.d.  in  Q(q,h). 

^One  can  show  that  if  4  is  reachable  from  qo,  then  -<«  is  a  strict  partial  order  which 
totally  orders  the  T-waiting  processes  in  q,  as  illustrated,  but  we  do  not  need  this  fact. 


C-enabled 


T-waiting 


E\JR 


Figure  9:  The  relation 


Proof:  Assume  the  conditions  of  the  lemma.  Since  »  j,  Pi  is  either  C- 
enabled  or  T- waiting  in  y.  If  P,-  is  C-enabled,  then  we  simply  choose  h'  —  X, 
the  null  schedule,  and  we  are  done.  Hence,  assume  P,  is  T-waiting  in  q. 

Again  since  t  -<f  j,  P/  is  either  in  EU  P  or  is  T-waiting  in  q.  In  either 
case,  there  exists  an  i.d.  qi  (possibly  equal  to  q)  and  schedules  /iq,  hi  such 
that  qi  is  reachable  from  qo  via  ho,  g  is  reachable  from  gi  via  hi,  Pj  \s  in 
Pu  P  in  qi,  and  P  is  T-waiting  in  every  (f  €  Q(qi,hi).  p  b  not  T-waiting 
in  every  q'  €  Q{q,h),  for  if  it  were,  then  Pj  overtakes  P  in  Q{qi,hi  h), 
violating  FIFO  enabling.  Hence,  p  is  C-enabled  in  some  i.d.  in  Q{q,h).  I 

The  next  lemma  implies  that  among  the  T-waiting  processes  there  is  one 
that  is  “ahead”  of  all  the  others. 

Lemma  5.2  Let  q  be  reachable  from  go,  and  assume  that  at  least  one  process 
is  T -waiting  in  q.  Then  there  is  a  T -waiting  processes  Pi  in  q  such  that  i  -<,  j 
for  all  j  /  i  such  that  Pj  is  T -waiting  in  q. 

Proof:  Let  q  be  reachable  from  90  via  h,  and  consider  the  run  Q[qo,h). 
Order  the  T -waiting  processes  in  q  according  to  the  times  of  their  most  recent 
entry  to  T  in  Q{qo,h),  and  let  p  be  the  first  such  process.  By  definition, 
»  -<,  j  holds  for  all  j  ^  i  such  that  Pj  is  T-waiting  in  q.  I 


Lemma  5.3  Ltt  q  be  reachable  from  qq. 

1.  If  q  is  not  k-fuU,  then  no  process  is  T-toaiting  in  q. 
t.  No  process  is  E -waiting  in  q. 

Proof:  1.  Assume  that  q  is  not  ik-full  but  some  process  is  T-waiting  in  q. 
We  proceed  to  derive  a  contradiction. 

By  Lemma  5.2,  there  is  a  T-waiting  process  Pi  in  q  such  that  i  ■<q  j  for 
all  j  ^  t  such  that  Py  is  T-waiting  in  q.  Since  Pi  is  T-waiting  in  9,  there  is 
a  schedule  h  in  which  Pi  takes  infinitely  many  steps  but  it  remains  in  T  in 
every  i.d.  of  Q{q,h)‘,  hence  Pi  is  T-waiting  in  every  i.d.  of  Q{q,h). 

Suppose  a  process  Py  becomes  C-enabled  during  Q{q,h).  That  is,  sup¬ 
pose  one  can  write  h  =  hi  ■  hi  ■  hi  such  that  Py  is  not  C-enabled  in 

=  6(fl,hi),  but  Py  is  C-enabled  in  6(?i,h2).  Then  i  -<,j  j  holds  by 
definition,  so  by  by  Lemma  5.1,  Pi  is  C-enabled  at  some  i.d.  in  Q{qi,hi), 
a  contradiction.  Hence,  no  process  becomes  C-enabled  during  Q{q,h),  so 
none  of  the  i.d.’s  in  Q{q,h)  are  k-full. 

Now,  for  some  suffix  Q(q',h')  of  the  run  Q(qyh),  no  process  makes 
progress  since  each  process  can  diange  region  or  become  A-enabled  only 
a  finite  number  of  times  without  becoming  C-enabled.  Thus,  h’  exhibits 
k-deadlock  from  q',  contradicting  the  avoidtmce  of  k-deadlock  condition. 

2.  The  proof  is  similar  (and  simpler).  Assume  that  Pi  is  waiting  in 
q.  Then  there  is  a  schedule  h  in  which  takes  infinitely  many  steps  but  it 
remains  in  E  in  every  i.d.  of  Q{q,h).  It  follows  that  p  is  E-waiting  in  every 
i.d.  of  Q{q,h). 

Only  processes  Py  already  in  E  in  9  can  become  i2-enabled  during 
Q{q,h),  and  that  can  happen  at  most  once  per  process,  for  otherwbe  Py 
would  overtake  P,  violating  the  FIFO  enabling  condition.  Hence,  in  some 
suffix  Q{q',h')  of  the  run  Q{q,h),  no  process  makes  progress  since  each  pro¬ 
cess  can  change  region  or  become  C-enabled  only  a  finite  number  of  times 
without  becoming  iZ-enabled.  Then  h!  exhibits  k-deadlock  from  9',  contra¬ 
dicting  the  avoidance  of  l:-deadlock  condition.  I 

The  following  lemma  says  that  a  process  can  only  be  C-enabled  while  it 
is  in  its  trying  or  critical  region. 

Lemma  5.4  Let  9  be  reachable  from  90.  If  process  Pi  is  C-enabled  in  q, 
then  Pi  is  inTuC  in  9. 


Proof:  Assume  the  contrary,  that  Pi  is  C-enabled  in  q,  and  is  in  ^  U  A 
in  q.  For  each  j  €  [iV],  J  /  i,  run  Pj  for  zero  or  more  steps  until  an  i.d. 
is  reached  in  which  it  b  in  T  U  C.  Thb  procedure  must  terminate  after  a 
finite  number  of  steps,  for  otherwise  Pj  remains  forever  in  Eu  R.  But  that 
b  impossible  by  Lemma  5.3  amd  the  absence  of  self-loops  on  region  R.  Call 
the  resulting  i.d.  q*. 

In  q*,  every  process  other  than  Pi  b  either  T-waiting  or  b  C-enabled.  At 
most  k  processes  can  be  C-enabled  (by  the  remark  following  the  definition 
of  k-exclusion).  Thus,  since  we  assume  N  >  k  +  2,  some  process  Pt  b  T- 
waiting  in  <f.  Pi  b  still  C-enabled  in  (/  (by  definition  of  enabling),  so  it 
enters  C  in  the  run  Q{q\  t”*)  for  some  m.  By  Lemma  5.3,  q'  b  ik-full,  so 
Pt  remains  T-w^ting  throughout  Q(?*,t"*).  But  then  P,-  overtakes  Pt  in 
Q(^',t"*),  violating  FIFO  enabling.  I 

The  next  lemma  says  that,  no  matter  what  the  other  processes  do, 
any  process  in  its  trying  region  that  takes  infinitely  many  steps  eventually 
reaches  its  critical  region,  provided  that  there  are  not  too  many  processes 
ahead  of  it. 

Lemma  5.5  Let  q  be  reachable  from  qo,  and  let  Pi  be  m  T  m  q.  Then 
#aheadi(9)  <k  iff  Pi  ia  C-enabled  in  q. 

Proof:  Assume  the  conditions  of  the  lemma. 

(=>)  Suppose  #ahead|(9)  <  k  but  Pi  b  not  C-enabled  in  q.  Then  Pi  must 
be  T-waiting  in  q,  so  by  Lemma  5.3,  q  b  Ar-full.  But  then  all  the  processes 
which  are  C-enabled  in  q  are  in  ahead, (9),  so  that  #ahead,-(9)  >  k.  Thb  b 
a  contradiction. 

{■^)  If  Pi  b  C-enabled  in  q,  then  P-  b  in  T  U  C  by  Lemma  5.4.  But  then 
ahead,' (9)  =  (9.  I 

The  next  lemma  says  that  it  b  always  possible  for  all  the  processes  to 
run  so  as  to  end  up  simultaneously  in  their  remainder  regions. 

Lemma  5.6  Let  q  be  reachable  from  qo.  Then  there  exists  q'  reachable  from 
q  such  that  every  process  is  in  its  remainder  region  in  q'.  Moreover,  q'  can 
be  reached  from  q  via  a  schedule  t'n  which  no  process  already  in  its  remainder 
region  in  q  takes  any  steps. 

Proof:  It  suffices  to  show  that  if  not  adl  processes  are  in  their  remainder 
regions,  then  there  b  some  P,  not  in  R  which  b  C-  or  P-enabled.  Assuming 


we  have  shown  that  such  a  Pi  exists,  we  run  Pi  until  it  changes  regions.  We 
then  repeat  this  construction  on  each  resulting  i.d.  l  til  an  i.d.  is  reached  in 
which  all  processes  are  in  R.  This  procedure  must  eventually  terminate  since 
each  process  can  change  regions  only  finitely  many  times  before  entering  its 
remainder  region. 

Now  suppose  that  every  processes  not  in  A  is  neither  C-  nor  A-enabled 
in  q.  Then  q  is  not  Ar-full,  since  no  process  is  C-enabled,  by  assumption  and 
Lemma  5.4.  By  Lemma  5.3,  no  process  is  T-  or  ^-waiting  in  q;  therefore,  no 
process  is  in  T  U  £  in  9.  But  also  no  process  b  in  C  in  9  since  no  process  is 
C*enabled.  Hence,  every  process  is  in  R.  It  follows  that  if  not  all  processes 
are  in  R,  then  some  such  process  is  C-  or  A-enabled,  as  desired.  I 


5.2  The  Schedule  h{i,j) 

Now  choose  any  9  reachable  from  90  io  which  all  processes  are  in  their 
remainder  regions.  9  exists  by  Lemma  5.6.  Fix  i  and  jf,  with  k  <  j  <  i  < 
N  ~  1.  Construct  a  schedule,  h(i,j),  as  follows. 

1.  Starting  at  9,  each  of  P\,...,Pit  takes  steps  on  its  own,  just  until  it 
enters  its  critical  region.  This  is  possible  by  Lemma  5.5.  Then  each 
of  Pk+i, . . .  ,Ps  takes  one  step,  going  to  its  trying  region.  Let  P/v’s 
state  after  its  entry  be  denoted  by  x,  for  future  reference.  (Note  that 
X  does  not  depend  on  t  or  j.) 

2.  Pi  takes  steps  on  its  own,  just  until  it  returns  to  its  remainder  region, 
leaving  one  empty  critical  slot.  This  is  possible  by  Lemma  5.3.  Call 
the  resulting  i.d.  9^  for  later  reference.  (Note  that  9'  does  not  depend 
on  i  or  j.) 

3.  Each  of  Pi+i, . . . ,  P  in  turn  takes  steps  on  its  own,  just  until  it  returns 
to  its  remainder  region.  This  is  possible  by  Lemmas  5.5  and  5.3. 

4.  Each  of  Pit+i  ,...,Pj  takes  one  step,  thereby  entering  its  trying  region 
once  again.  The  resulting  i.d.  is  denoted  9(1,7). 

This  construction  is  diagrammed  in  Figure  10.  Arrows  are  labeled  by 
‘O’,  ‘1’,  or  to  indicate  that  the  corresponding  process  takes  0,  1,  or  an 
unspecified  number  of  steps. 
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Figure  10:  The  Lower  Bound  Construction. 


5.3  Distinctness  of  shared  values 

We  now  relate  the  construction  to  the  size  of  shared  memory. 

Lemma  5.7  The  shared  variable  has  a  distinct  value  in  each  q{i,j). 

Proof:  Assume  to  the  contrary  that  y{q{i,j))  =  y{q{i',j'))  for  (»,y)  ^ 
(i',j').  Without  loss  of  generality,  it  suffices  to  consider  two  cases. 

Case  1:  i  <  i'. 

Among  all  T-waiting  processes  in  q{i',j’),  Pi'+i  was  the  first  to  enter  its 
trying  region,  so  #ahead,<+i(g(i',/))  =  ^  -  1.  Then  P>+i  is  C7-enabled  in 
q{i',j')  by  Lemma  5.5.  Also  Pi’+i  is  in  the  same  state  in  both  q{i,j)  and 
q{i',j').  Since  also  the  shared  variable  has  the  same  value  in  both  i.d.’s,  it 
follows  that  Pi'+i,  starting  from  q{i,j),  can  take  some  number  m  of  steps 
and  enter  its  critical  region.  We  claim  that  the  schedule  H  =  h(i,j)  ■  (t'  + 1)”* 
violates  FIFO  enabling  from  q.  This  is  because  goes  from  its  remainder 
to  its  critical  region  during  K  while  P>i ,  which  entered  its  trying  region  first. 
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remains  T-waiting.  (i^>i  does  not  become  C-enabled  during  71,  for  if  it  did, 
then  ^-exclusion  would  be  violated  in  the  schedule  X  ■  (t  +  1)*^.) 

Case  2:  i  =  i'  and  j  <  j'. 

Consider  schedule  h  constructed  as  follows.  Starting  from  q{i,j), 
Pjf+i  takes  one  step,  thereby  entering  the  trying  region.  Then  each  of 
Pi+i,...  ,PN,Pit+i,...,Pj,  in  turn,  takes  sufficiently  many  steps  to  return 
to  its  remainder  region,  possible  by  Lemmas  5.5  and  5.3.  Call  the  resulting 
i.d.  qi-  Then  aheady>4.i(9i)  =  {2,...,Ar},  so  Py*+i  is  C-enablcd  in  qi  by 
Lemma  5.5. 

Now  consider  the  application  of  h  to  q{i,j')  and  let  be  the  resulting  i.d. 
is  in  the  same  state  in  both  91  and  q[,  and  also  the  shared  variable 
has  the  same  value  in  both  i.d.’s;  thus  Pj'+i,  starting  from  (fi,  can  take 
some  number  m  of  steps  and  enter  its  critical  region.  Hence,  Pji+i  enters 
its  critical  region  in  the  run  Q(q{i,f),h'),  where  h'  —  h  ■  {j'  +  l)"*.  The 
schedule  A'  violates  FIFO  enabling  from  q{i,f),  for  P/»+i  overtakes  Pj+\  in 
I 

5.4  Lower  bound  theorem 

Finally  we  prove  the  main  lower  bound  result. 

Theorem  5.8  Let  N  >  k  2,  and  let  S  be  a  ayatem  of  N  proceaaea  with 
value  aet  V  for  ita  ahared  variable,  and  let  qo  be  an  i.d.  such  that  S  aolvea 
the  k-critical  aection  problem  from  qo.  Then 

\V\>k^~^~^^  +  N-k-l  =  n{N^). 

Proof:  The  proof  proceeds  by  induction  on  k. 

Base:  k  =  1. 

By  Lemma  5.7,  there  are  at  least  (^2  *)  =  ^  ^  -  2  distinct 

values. 

Inductive  step:  k  >  1. 

By  Lemma  5.7,  there  are  distinct  values  of  the  variable  for  the 

i.d.’s  q(i,j)  for  i,j  satisfying  k<j<i<N-2.  Each  such  q{i,j)  is  A-full 
since  Pj,...,Pt  and  Pj+i  are  C-enabled  in  q{i,j).  Hence,  by  k-exclusion, 
if  v(i,j)  is  the  value  of  the  shared  variable  in  q{i,j),  then  no  finite  number 
of  applications  of  P^’s  transition  function  to  the  pair  {v{i,j),x)  can  put 
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Pn  in  its  critical  region.  (Recall  that  Ps  is  in  the  same  state  x  in  each 

Now  reconsider  the  construction  of  Section  5.2.  Starting  at  q',  let  each  of 
Pi,...,Pk  take  steps  until  they  return  to  their  remainder  regions,  possible 
since  all  are  R-enabled  by  Lemma  5.5.  Now  let  each  of  Pfc+i,. .  in 

turn  enter  their  critical  regions  and  then  return  to  their  remainder  regions, 
again  possible  by  Lemmas  5.5  and  5.3.  Call  the  resulting  i.d.  9". 

Pi,...,Pyv-i  are  in  their  remainder  regions  and  Pn  is  in  its  trying  re¬ 
gion  in  9",  so  Pn  is  C-enabled  in  9"  by  Lemma  5.5.  From  9",  consider 
P11  ■  • .  1  Pn-\  as  comprising  a  system.  S',  of  iV  -  1  processes.  Since  S  solves 
the  A;-critical  section  problem  from  9,  it  can  be  shown  that  S'  solves  the 
(fc  -  l)-critical  section  problem  from  (the  appropriate  restriction  of)  9". 
Thus,  by  induction,  the  number  of  values  that  can  be  taken  on  by  S''s 
shared  variable  is  at  least 

Since  Pn  is  C-enabled  in  9",  each  value  v  that  can  be  taken  on  by  the  shared 
variable  in  i.d.’s  reachable  from  9"  using  only  Pi,...,P/v_i  has  the  property 
that  some  finite  number  of  applications  of  6n  to  the  pair  (v,  i)  will  put  Pn 
in  its  critical  region.  Thus,  these  shared  variable  values  are  disjoint  from 
the  values  v(i,j)  considered  above. 

We  conclude  that 

,fN-k-i\  „  ,  , 

=  2  j+iV-fc-1, 

as  desired.  I 
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6  Summary  and  Open  Questions 

In  this  paper,  we  have  described  the  ib-critical  section  problem  in  general 
terms  and  have  defined  am  extremely  robust  version  of  the  problem:  equiv¬ 
alence  with  a  particular  simple  but  space-inefficient  algorithm,  the  Queue 
Algorithm. 

As  our  main  result,  we  have  presented  an  interesting  new  algorithm,  the 
Colored  Ticket  Algorithm,  which  solves  the  given  version  of  the  problem 
and  uses  only  O(N^)  vailues  of  the  shared  variable.  Our  lower  bound  proof 
shows  that,  for  fixed  k,  this  algorithm  is  optimal  to  within  a  constant  faurtor 
in  terms  of  number  of  values  of  shared  memory. 

There  is  still  a  large  gap  between  the  constants  in  the  upper  and  lower 
bounds.  Both  depend  on  k,  but  the  constant  in  the  upper  bound  is  expo¬ 
nential  in  k,  while  the  constant  in  the  lower  bound  is  linear  in  ib.  It  remains 
to  close  this  gap. 
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